All the css hashes were added to the CSP (in index.html), also using 'unsafe-hashes' but they are still reported in browser console.
Chrome console vs. index.html file
How can I fix this, that the browser will not refuse to apply these styles?
Related
I'm trying to load my content into an IFrame, so I implemented the Content-Security-Policy header: Content-Security-Policy: frame-ancestors http://*.example.com/abc.html.
I am able to load the content on iframe when I give the header as
Content-Security-Policy: frame-ancestors http://*.example.com/.
But when I change the header to:
Content-Security-Policy: frame-ancestors self http://*.example.com/abc.html.
then the content on iframe is getting loaded for the first time but gives below error when I refresh the web page
Refused to display 'https://....' in a frame because an ancestor violates the following Content Security Policy directive: frame-ancestors self http://*.example.com/abc.html.
Can anyone tell why its giving error on refreshing the page.
Also does frame-ancestors considerers the full url (http://.example.com/abc.html) or only the hostname like http://.example.com?
Chrome browser has a bug - it's not support paths in the frame-ancestors directive. Safari nas the same bug, and only lasets Firefox supports paths in this directive.
So for frame-ancestors instead of http://.example.com/abc.html you have to use http://.example.com host-source.
For other directives you can use paths and filenames.
Without a working example it is hard to know exactly what the problem is. But based on the specification, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors, some adjustments to your CSP can be advised:
Remove the path, it is not according to the specification to use more than the scheme, host and port.
Use the expected scheme (http/https) or remove the scheme.
Use wildcard https://*.example.com, not just https://.example.com
Use 'self', not self
Im getting this error and I don´t know why, the scripts that I have included works?
And the error only shows up when I load a subpage. Not when I load the startpage.
So what Im I doing wrong?
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
<meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'unsafe-eval' https://checkout.dibspayment.eu https://www.google-analytics.com https://maps.google.com;">
Any input really appreciated, thanks.
And the error only shows up when I load a subpage. Im getting this error and I don´t know why
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
It's not an error, just a warning that you browser does not support the 'strict-dynamic' token. (guess you use Safari).
I guess that subpage is a some Google's iframe (oAuth2, reCaptcha, etc). That iframe publush it's own CSP wich contains the 'strict-dynamic' token and this CSP was created in browsers backward compatibility mode (Google make such).
That's a warning from third-party CSP, not your's.
the scripts that I have included works?
Your parent page has own CSP which allows scripts. The CSP of nested browsing context (iframe) does not affects parent page (except the frame-ancestors directive).
So what Im I doing wrong?
Nothing. It's an intended regular work of Content Security Policy.
Each browsing context can have its own CSP. But all warns will flow to one browser console, and that is mislead.
I'm new to Content-Security-Policy headers, and I've been trying to define our policy to get our app working correctly.
I'm a Google Chrome user, and under Google Chrome, everything seems to be fine. But, under Firefox or Edge, I see something like this:
CSP14309: Unknown directive 'script-src-elem' in
Content-Security-Policy - directive will be ignored.
Why would script-src-elem be unknown in Edge and Firefox, but work correctly in Google Chrome?
What, exactly, is script-src-elem?
Help?
This is a new CSP 3 policy that has so far only been implemented in Chrome, and a handful of smaller browsers (e.g. Opera).
See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem#Specifications
I have a strange problem with one server (Hosting company is etisalat in UAE). The website is not loading external scripts (also google fonts) or background images and some javascript.
The error I get in console is like:
"Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.googleapis.com/css?family=Noto+Sans:400,700,400italic (“default-src http://riviera.ae http://googleapis.com”)"
I've tried adding the following to section:
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' 'unsafe-eval'">
But still it does not load it. The images and other works well in internet explorer (But XHR gives error. I haven't tested it completely).
Also tried the following in .htaccess
Header set Content-Security-Policy "default-src 'self' googleapis.com; script-src 'self' www.googleapis.com;"
Hope it's not against stackoverflow policies to share the link of the domain (riviera.ae). Thanks for checking it out.
NB: I tried putting the same application in another server (*nix based systems with apache 2+) and it works fine.
Even a phpinfo() gives the output in plain text (No PHP logo is shown nor the table styles are rendered).
I got it working by putting "Header unset Content-Security-Policy" in the .htaccess file. Have to add other derivatives to make it secure though.
I'd like to open an HTTP Iframe inside an HTTPS page. Of course this is not normally possible as it will trigger an 'mixed-content' violation.
Is there any way to by-pass a mixed content block using "Content-Security-Policy" and hash sources ?
Example:
http://mysite/my-frame.html has an sha-256 hash of sha256-xxxyyy....zzz
https://mysite/index.html will be served with a Content-Security-Policy header as follow (or inlines an equivalente <meta> tag) as long as CORS headers:
Content-Security-Policy: frame-src sha256-xxxxyyyy....zzz
https://mysite/index.html includes an <iframe src='http://mysite/my-frame.html'>
Will this work ? Is there any other method to make this possible.
note: No upgrade-insecure-requests will not work because the page is a navigational request AND the frame HAS to be served from HTTP.
No, there's no way to bypass the security block on modern browsers (starting from Firefox 23, Chrome 14, IE9)
Thankfully, most modern browsers block this type of dangerous content
by default
ref: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content#mixed-content-types--security-threats-associated
What if the server sets the csp child-src to http://mysite/my-frame.html? As I read the definitions it should work.
child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins. Use this in place of the deprecated frame-src directive.
https://www.html5rocks.com/en/tutorials/security/content-security-policy/